Challenges)in)Cloud)) Compu0ng)Security)...Challenges)in)Cloud)) Compu0ng)Security)!!!!...
Transcript of Challenges)in)Cloud)) Compu0ng)Security)...Challenges)in)Cloud)) Compu0ng)Security)!!!!...
Challenges)in)Cloud))Compu0ng)Security)
!!!!
Carlos)B.)Westphall,)Carla)M.)Westphall,)Rafael)Weingärtner,)Daniel)R.)dos)Santos,)Paulo)F.)da)Silva,)
Pedro)A.)F.)ViD,)Kleber)M.)M.)Vieira))!
Networks)and)Management)Laboratory)Federal)University)of)Santa)Catarina)
NOVEMBER)16TH,)LISBON,)PORTUGAL) IARIA)NetWare)2014)W)TUTORIAL)2) 1!
Summary!
) Cloud!Compu/ng!Security!Monitoring!!) Federated! Iden/ty! to! Cloud! Environment!Using!Shibboleth!
) A! Vision! of! Privacy! on! Iden/ty! Management!Systems!!
) Risk)based! Access! Control! Architecture! for!Cloud!Compu/ng!
) RAClouds!–!Risk!Analysis!for!Clouds!
!!!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 2!
Cloud!Compu/ng!!Security!Monitoring!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 3!IARIA!NetWare!2014!)!TUTORIAL!2!
Outline!
1. INTRODUCTION!!2. RELATED!WORKS!3. SECURITY!CONCERNS!IN!CLOUD!COMPUTING!4. CLOUD!MONITORING!5. SECURITY!CONCERNS!IN!SLA!6. CLOUD!SECURITY!MONITORING!7. CASE!STUDY!
!!!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 4!
Outline!
8.!KEY!LESSONS!LEARNED!9.!CONCLUSIONS!AND!FUTURE!WORKS!10.!SOME!REFERENCES!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 5!
1.!INTRODUCTION!
)! Numerous! threats! and! vulnerabili/es! that!become! more! important! as! the! use! of! the!cloud! increases,! as! well! as,! concerns! with!stored!data!and! its!availability,!confiden/ality!and!integrity.!!
)!Need!for!monitoring!tools!and!services,!which!provide!a!way!for!administrators!to!define!and!evaluate!security!metrics!for!their!systems.!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 6!
1.!INTRODUCTION!
) We! propose! a! cloud! compu/ng! security!monitoring! tool! based! on! our! previous!works! on! both! security! and! management!for!cloud!compu/ng.!
) Features! of! cloud! compu/ng! such! as!virtualiza/on,!mul/)tenancy!and!ubiquitous!access! provide! a! viable! solu/on! to! service!provisioning!problems.!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 7!
1.!INTRODUCTION!
) What! are! the! new! risks! associated! with! the!cloud! and! what! other! risks! become! more!cri/cal?!
) We! provide! some! background! in! security!concerns! in! cloud!compu/ng,!briefly!describe!a! previous! implementa/on! of! a! monitoring!tool! for! the! cloud,! show! how! security!informa/on! can! be! summarized! and! treated!under!a!management!perspec/ve.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 8!
2.!RELATED!WORKS!
) Uriarte! and! Westphall! [4]! proposed! a!monitoring! architecture! devised! for! private!Cloud! that! considers! the! knowledge!requirements!of!autonomic!systems.!!
) Fernades!et!al.![5]!surveys!the!works!on!cloud!security! issues,! addressesing! key! topics:!vulnerabili/es,! threats,! and! aeacks,! and!proposes!a!taxonomy!for!their!classifica/on.!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 9!
2.!RELATED!WORKS!
) Cloud!Security!Alliance![6]!has!iden/fied!the!top!nine!cloud!compu/ng!threats.!The!report!shows!a!consensus!among!industry!experts.!!
) Mukhtarov! et! al.! [7]! proposed! a! cloud!network!security!monitoring,!which! is!based!on! flow! measurements! and! implements! an!algorithm! that! detects! and! responds! to!network!anomalies.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 10!
!3.!SECURITY!CONCERNS!IN!CLOUDS!
!!) Each!cloud! technology!presents! some!kind!of!known! vulnerability:! Web! Services,! Service!Oriented!Architecture!(SOA),!Representa/onal!State! Transfer! (REST)! and! Applica/on!Programming! Interfaces! (API),! virtualizarion,!network!infrastructure...![8].!
) The! usual! three! basic! issues! of! security:!availability,! integrity! and! confiden/ality! are!s/ll!fundamental!in!the!cloud.!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 11!
!3.!SECURITY!CONCERNS!IN!CLOUDS!
!!) Mul/)tenant! characteris/c:! one! single!vulnerable! service! in! a! virtual! machine,!exploita/on! of! many! services! hosted! in! the!same!physical!machine.!
) Web! appl ica/ons! and! web! services:!suscep/ble!to!a! lot!of!easily!deployed!aeacks!such! as! SQL! injec/on,! Cross)Site! Scrip/ng!(XSS),! Cross)Site! Request! Forgery! (CSRF)! and!session!hijacking.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 12!
!3.!SECURITY!CONCERNS!IN!CLOUDS!
!!) Another! important! topic! in! cloud! security! is!Iden/ty! and! Access! Management,! because! now!data! owners! and! data! providers! are! not! in! the!same!trusted!domain![9].!!
) The!main! security!management! issues! of! a! Cloud!Serv ice! Prov ider! (CSP)! are:! ava i lab i l i ty!management,! access! control! management,!vulnerability! management,! patch! and! configu)!ra/on! management,! countermeasures,! and! cloud!usage!and!access!monitoring![10].!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 13!
!3.!SECURITY!CONCERNS!IN!CLOUDS!
!!) The!cloud!is!an!easy!target!for!an!intruder!trying!to!use!its!abundant!resources!maliciously,!and!the!IDS!also! has! to! be! distributed,! to! be! able! to!monitor!each!node![11].!
) Distributed! Denial! of! Service! (DDoS)! aeacks! can!have! a! much! broader! impact! on! the! cloud,! since!now! many! services! may! be! hosted! in! the! same!machine.! DDoS! is! a! problem! that! is! s/ll! not! very!well!handled.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 14!
!3.!SECURITY!CONCERNS!IN!CLOUDS!
!!) To! maintain! data! security! a! provider! must!include,! at! least:! an! encryp/on! schema,! an!access!control!system,!and!a!backup!plan![12].!
) When!moving!to!the!cloud!it!is!important!that!a!prospec/ve!customer!knows!to!what!risks!its!data! are! being! exposed.! Some! of! the! key!points! considered! in! this! migra/on! are!presented!in![13,!20,!and!21].!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 15!
!3.!SECURITY!CONCERNS!IN!CLOUDS!
!!) Legal! compliance! is! fundamental! when!dealing! with! cloud! compu/ng.! In! the! cloud!world,! it! is! possible! that! data! cross! many!jurisdic/on!borders.!!
) Availability!and!confiden/ality!are! cri/cal! to!the! telecommunica/ons! business! and! if!services!are!being!deployed!in!a!public!cloud!without!a!proper!SLA![15].!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 16!
!4.!CLOUD!MONITORING!!
!!) Our! team! has! previously! proposed! and!implemented! an! open)source! cloud!monitoring! architecture! and! tool! called! the!Private!Cloud!Monitoring! System! (PCMONS)![14].!
) The! architecture! of! the! system! is! divided! in!three! layers:! Infrastructure;! Integra/on;!and!view.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 17!
!4.!CLOUD!MONITORING!!
!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 18!
!5.!SECURITY!CONCERNS!IN!SLA!!!
!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 19!
) Providers!must!have!ways!to!ensure!their!clients!that!their!data!is!safe!and!must!do!so!by!monitoring!and!enhancing!security!metrics.!
) SLAs!may!also!be!used! in! the!defini/on,!monitoring! and! evalua/on! of! security!metrics,! in! the! form!of! Security! SLAs,!or!Sec)SLAs![15].!
!6.!CLOUD!SECURITY!MONITORING!!
!!) We! now! propose! an! extension! to! the!PCMONS! architecture! and! tool! to! enable!security!monitoring!for!cloud!compu/ng.!!
) We! also! present! the! security!metrics!which!we! consider!adequate! to!be!monitored! in!a!cloud! infrastructure! and! which! provide! a!good! picture! of! security! as! a! whole! in! this!environment.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 20!
!6.!CLOUD!SECURITY!MONITORING!!
!!) The! tool! uses! data! and! logs! gathered! from!security! somware! available! in! the! monitored!systems,!such!as!IDSs,!an/)malware!somware,!file! system! integrity! verifica/on! somware,!backup! somware,! and! web! applica/on!firewalls.!
) The! en//es! involved! in! the! defini/on,!configura/on! and! administra/on! of! the!security!SLAs!and!metrics!are:!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 21!
!6.!CLOUD!SECURITY!MONITORING!!
!!) Cloud! users;! Cloud! administrators;! and!Security!applica/ons.!
) Data!Security!Metrics,!Access!Control!Metrics!and! Server! Security! Metrics! are! shown! in!Table!I,!Table!II,!and!Table!III,!respec/vely.!
) If!a!virtual!machine!has!had!a!huge!number!of!failed! access! aeempts! in! the! last! hours! we!may!want!to!lock!any!further!access.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 22!
!6.!CLOUD!SECURITY!MONITORING!!
!!
Metric)) Descrip0on))
Encrypted!Data?!! Indicates!whether!the!data!stored!in!the!VM!is!encrypted!!
Encryp/on!Algorithm!! The!algorithm!used!in!the!encryp/on/decryp/on!process!!
Last!backup!! The!date!and!/me!when!the!last!backup!was!performed!!
Last!integrity!check!! The!date!and!/me!when!the!last!file!system!integrity!check!was!performed!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 23!
TABLE!I.!DATA!SECURITY!METRICS!!!
!6.!CLOUD!SECURITY!MONITORING!!
!!
Metric)) Descrip0on))
Valid!Accesses!! The!number!of!valid!access!aeempts!in!the!last!24!hours!!
Failed!access!aeempts!!! The!number!of!failed!access!aeempts!in!the!last!24!hours!!
Password!change!interval!! The!frequency!with!which!users!must!change!passwords!in!the!VM’s!opera/ng!system!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 24!
TABLE!II.!ACCESS!CONTROL!METRICS!!!!
!6.!CLOUD!SECURITY!MONITORING!!
!!
Metric)) Descrip0on))
Malware!! Number!of!malware!detected!in!the!last!an/)malware!scan!!
Last!malware!scan!! The!date!and!/me!of!the!last!malware!scan!in!the!VM!!
Vulnerabili/es!! Number!of!vulnerabili/es!found!in!the!last!scan!!
Last!vulnerability!scan!! The!date!and!/me!of!the!last!vulnerability!scan!in!the!VM!!
Availability!! Percentage!of!the!/me!in!which!the!VM!is!online!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 25!
TABLE!III.!SERVER!SECURITY!METRICS!!
!7.!CASE!STUDY!
!!) We!have! implemented!the!metrics!presented!in!Tables!I)III!and!gathered!the!data!generated!in!a!case!study.!
) The! following! somware! were! used! to! gather!the! secur i t y! i n fo rma/on :! dm)c ryp t!(encryp/on),! rsync! (backup),! tripwire!(filesystem! integrity),! ssh! (remote! access),!clamAV! (an/)malware),! /ger! (vulnerability!assessment)!and!up/me!(availability).!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 26!
!7.!CASE!STUDY!
!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 27!
!7.!CASE!STUDY!
!!) It! represents! how! the! metrics! are! shown! in!Nagios!and!it!is!possible!to!see!the!vision!that!a! network! administrator! has! of! a! single!machine.!!
) The!metrics!HTTP!CONNECTIONS,!LOAD,!PING,!RAM!and!SSH!are!from!the!previous!version!of!PCMONS! and! are! not! strictly! related! to!security,!but!they!are!show!combined.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 28!
!8.!KEY!LESSONS!LEARNED!!
!!) The!tool!helps!network!and!security!administrator!perceive! viola/ons! to! Sec)SLAs! and! ac/vely!respond!to!threats.!
) The! major! piece! of! technology! used! to! provide!security!in!the!cloud!is!cryptography.!
) Data! leakage! and! data! loss! are! possibly! the!greatest!concerns!of!cloud!users.!
) Backup!and!recovery!are!also!fundamental!tools!to!ensure!the!availability!of!customer!data.!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 29!
!8.!KEY!LESSONS!LEARNED!!
!!) SLAs! are! fundamental! to! provide! customers!with!the!needed!guarantees.!
) Defini/on!of!requirements!and!the!monitoring!of!security!metrics!remain!an!important!open!research!topic.!!
) The!major!decisions!in!this!work!were!related!to!the!security!metrics!and!the!somware!used!to!provide!the!necessary!security!data.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 30!
!8.!KEY!LESSONS!LEARNED!!
!!) The! idea! of! analyzing! logs! to! obtain! security!data! is! classical! in! informa/on!security!and! it!seemed! like! a! natural! approach! to! our!challenges.!
) To!read,!parse!and!present!the!data!we!chose!to! use! the! Python! programming! language!because! it! already! formed! the! base! of!PCMONS!(Private!Cloud!Monitoring!System).!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 31!
!8.!KEY!LESSONS!LEARNED!!
!!) Sepng!up!a!reliable!tes/ng!environment!was!also!extremely! important! to! the! success! of! the!project.!
) An! important! feature! of! this! extension! of!PCMONS! is! that! it! can! run! over! OpenNebula,!OpenStack!and!CloudStack.!!
) The! use! of! scrip/ng! languages! in! the!development! process,! such! as! Python! and! Bash!Script!allowed!us!to!define!the!metrics.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 32!
!9.!CONCLUSION!AND!FUTURE!WORK!!!
!!This!work!described:!!)! A! few! of! our! previous! works! in! the! field! of!Cloud! Compu/ng! and! how! to! bring! them! all!together! in! order! to! develop! a! cloud! security!monitoring!architecture;!and!)! The! design! and! implementa/on! of! a! cloud!security!monitoring!tool,!and!how! it!can!gather!data!from!many!security!sources!inside!VMs!and!the!network.!NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 33!
!9.!CONCLUSION!AND!FUTURE!WORK!!!
!!As!future!work:!) We! can! point! to! the! defini/on! and! imple)!menta/on! of! new! metrics! and! a! beeer!integra/on!with!exis/ng!Security!SLAs;!and!
) It!would!be!important!to!study!the!integra/on!of! the! security! monitoring! model! with! other!ac/ve!research!fields!in!cloud!security,!such!as!Iden/ty! and! Access! Management! and!Intrusion!Detec/on!Systems.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 34!
10.!REFERENCES!!
References!indicated!in!this!presenta/on:!) [4]! R.! B.! Uriarte! and! C.! B.!Westphall,! “Panoptes:! A!monitoring! architecture! and! framework! for!suppor/ng! autonomic! clouds,”! in! IEEE! Network!Opera/ons!and!Management!Symposium,!2014.!
) [5]! D.! Fernandes! et! al.,! “Security! issues! in! cloud!environments:! a! survey,”! Interna/onal! Journal! of!Informa/on!Security,!2014.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 35!
10.!REFERENCES!!
References!indicated!in!this!presenta/on:!) [6]!T.!T.!W.!Group!et!al.,!“The!notorious!nine:!cloud!compu/ng! top! threats! in! 2013,”! Cloud! Security!Alliance,!2013.!
) [7]! M.! Mukhtarov! et! al.,! “Cloud! network! security!monitoring! and! response! system,”! CLOUD!COMPUTING! 2012! (The! Third! Interna/onal!Conference! on! Cloud! Compu/ng,! GRIDs,! and!Virtualiza/on).!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 36!
10.!REFERENCES!!
References!indicated!in!this!presenta/on:!) [8]! B.! Grobauer,! et! al.,! “Understanding! cloud!compu/ng! vulnerabili/es,”! Security! Privacy,! IEEE,!vol.!9,!no.!2,!March)April!2011.!
) [9]!X.!Tan!and!B.!Ai,!“The! issues!of!cloud!compu/ng!security! in! high)speed! railway,”! in! Electronic! and!Mechanical!Engineering!and!Informa/on!Technology!(EMEIT),! 2011! Interna/onal! Conference! on,! vol.! 8,!2011.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 37!
10.!REFERENCES!!
References!indicated!in!this!presenta/on:!) [10]!F.!Sabahi,!“Cloud!compu/ng!security!threats!and!responses,”! in! Communica/on! Somware! and!Networks!(ICCSN),!IEEE!3rd!Interna/onal!Conference!on,!2011.!
) [11]!K.!Vieira,!et!al.,!“Intrusion!detec/on!for!grid!and!cloud!compu/ng,”!IEEE!IT!Professional,!vol.!12,!no.!4,!2010.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 38!
10.!REFERENCES!!
References!indicated!in!this!presenta/on:!) [12]!L.!Kaufman,!“Data!security!in!the!world!of!cloud!compu/ng,”! Security! Privacy,! IEEE,! vol.! 7,! no.! 4,!2009.!
) [13]!S.!Chaves!et!al.,!“Customer!security!concerns!in!cloud! compu/ng,”! in! ICN,! The! Tenth! Inter)! na/onal!Conference!on!Networks,!2011.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 39!
10.!REFERENCES!!
References!indicated!in!this!presenta/on:!) [14]!S.!A.!Chaves,!R.!B.!Uriarte,!and!C.!B.!Westphall,!“Toward! an! architecture! for! monitoring! private!clouds,,”!Communica/ons!Magazine,!IEEE,!vol.!49,!n.!12,!2011.!
) [15]!S.!A.!Chaves,!C.!B.!Westphall,!and!F.!Lamin,!“Sla!perspec/ve! in! security! management! for! cloud!compu/ng,”!in!Networking!and!Services!(ICNS),!2010!Sixth!Interna/onal!Conference!on,!2010.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 40!
10.!REFERENCES!!
References!indicated!in!this!presenta/on:!) [20]! D.! R.! dos! Santos,! C.! M.! Westphall,! and! C.! B.!Westphall,! “A! dynamic! risk)based! access! control!architecture! for! cloud! compu/ng,”! in! IEEE! Network!Opera/ons! and! Management! Symposium! (NOMS),!2014.!
) [21]!P.!F.!SIlva!et!al.,!“An!architecture!for!risk!analysis!in! cloud,”! in! ICNS,! The! Tenth! Interna/onal!Conference!on!Networking!and!Services,!2014.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 41!
Federated!Iden/ty!to!Cloud!Environment!Using!Shibboleth!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 42!IARIA!NetWare!2014!)!TUTORIAL!2!
Content)at)a)Glance)• Introduc/on!and!Related!Works!• Cloud!Compu/ng!• Iden/ty!Management!• Shibboleth!• Federated!Mul/)Tenancy!Authoriza/on!System!on!Cloud!– Scenario!– Implementa/on!of!the!Proposed!Scenario!– Analysis!and!Test!Results!within!Scenario!
• Conclusions!and!Future!Works!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 43!IARIA!NetWare!2014!)!TUTORIAL!2!
Introduc/on!• Cloud!compu/ng!systems:!reduced!upfront!investment,! expected! performance,! high!availability,! infinite! scalability,! fault)tolerance.!• IAM! (Iden/ty! and! Access! Management)!plays! an! important! role! in! controlling! and!billing!user!access! to! the!shared! resources!in!the!cloud.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 44!IARIA!NetWare!2014!)!TUTORIAL!2!
Introduc/on!
• IAM! systems! need! to! be! protected! by!federa/ons.!
• Some! technologies! implement! federated!iden/ty,!such!as!the!SAML!(Security!Asser/on!Markup!Language)!and!Shibboleth!system.!
• The! aim! of! this! paper! is! to! propose! a!mul/)tenancy! author iza/on! system! us ing!Shibboleth!for!cloud)based!environments.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 45!IARIA!NetWare!2014!)!TUTORIAL!2!
Related!Work!• R. Ranchal et al. 2010 - an!approach!for!IDM!is!proposed,! which! is! independent! of! Trusted!Third! Party! (TTP)! and! has! the! ability! to! use!iden/ty!data!on!untrusted!hosts.!
• P. Angin et al. 2010 - an!en/ty)centric!approach!for! IDM! in! the! cloud! is! proposed.! They!proposed! the! cryptographic! mechanisms! used!in! R. Ranchal et al. without! any! kind! of!implementa/on!or!valida/on.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 46!IARIA!NetWare!2014!)!TUTORIAL!2!
This!Work!• Provide! iden/ty! management! and! access! control! and!aims! to:! (1)! be! an! independent! third! party;! (2)!authen/cate! cloud! services! using! the! user's! privacy!policies,! providing! minimal! informa/on! to! the! Service!Provider! (SP);! (3)! ensure! mutual! protec/on! of! both!clients!and!providers.!
• This! paper! highlights! the! use! of! a! specific! tool,!Shibboleth,! which! provides! support! to! the! tasks! of!authen/ca/on,!authoriza/on!and!iden/ty!federa/on.!
• The! main! contribu/on! of! our! work! is! the!implementa/on!in!cloud!and!the!scenario!presented.!
!NOVEMBER!16TH,!LISBON,!PORTUGAL! 47!IARIA!NetWare!2014!)!TUTORIAL!2!
The!NIST!Cloud!Defini/on!Framework!
Community)Cloud)
Private)Cloud)
Public)Cloud)
Hybrid!Clouds!
Deployment!Models!
Service!Models!
Essen/al!Characteris/cs!
Common!!Characteris/cs!
Somware!as!a!Service!(SaaS)!
Plauorm!as!a!Service!(PaaS)!
Infrastructure!as!a!Service!(IaaS)!
Resource!Pooling!
Broad!Network!Access! Rapid!Elas/city!
Measured!Service!
On!Demand!Self)Service!
Low!Cost!Somware!
Virtualiza/on! Service!Orienta/on!
Advanced!Security!
Homogeneity!
Massive!Scale! Resilient!Compu/ng!
Geographic!Distribu/on!
Based!upon!original!chart!created!by!Alex!Dowbor!NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 48!
Iden/ty!Management!• Digital! iden/ty! is! the! representa/on! of! an!en/ty!in!the!form!of!aeributes.!
hep://en.wikipedia.org/wiki/Iden/ty_management!NOVEMBER!16TH,!LISBON,!PORTUGAL! 49!IARIA!NetWare!2014!)!TUTORIAL!2!
Iden/ty!Management!
• Iden/ty!Management!(IdM)!is!a!set!of!func/ons!and!capabili/es!used!to!ensure!iden/ty!informa/on,!thus!assuring!security.!
• An! Iden/ty! Management! System! (IMS)! provides!tools!for!managing!individual!iden//es.!
• An!IMS!involves:!– User!– Iden/ty!Provider!(IdP)!– Service!Provider!(SP)!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 50!IARIA!NetWare!2014!)!TUTORIAL!2!
IMS!
• Provisioning:! addresses! the! provisioning! and!deprovisioning!of!several!types!of!user!accounts.!
• Authen/ca/on:!ensures!that!the!individual!is!who!he/she!claims!to!be.!
• Authoriza/on:! provide!different!access! levels! for!different!parts!or!opera/ons!within!a!compu/ng!system.!
• Federa/on:! it! is! a! group! of! organiza/ons! or! SPs!that!establish!a!circle!of!trust.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 51!IARIA!NetWare!2014!)!TUTORIAL!2!
• The! OASIS! SAML! (Security! Asser/on! Markup!Language)!standard!defines!precise!syntax!and!rules!for!reques/ng,!crea/ng,!communica/ng,!and!using!SAML!asser/ons.!
• The! Shibboleth! is! an! authen/ca/on! and!authoriza/on! infrastructure! based! on! SAML!that! uses! the! concept! of! federated! iden/ty.!The! Shibboleth! system! is! divided! into! two!en//es:!the!IdP!and!SP.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 52!IARIA!NetWare!2014!)!TUTORIAL!2!
Shibboleth!• The! IdP! is! the! element! responsible! for!authen/ca/ng!users:!Handle!Service!(HS),! !Aeribute!Authority! (AA),! Directory! Service,! Authen/ca/on!Mechanism.!
• The! SP! Shibboleth! is! where! the! resources! are!stored:! Asser/on! Consumer! Service! (ACS),! ! Aeribute!Requester!(AR),!Resource!Manager!(RM).!
• The!WAYF! ("Where! Are! You! From",! also! called!the!Discovery!Service)!is!responsible!for!allowing!an!associa/on!between!a!user!and!organiza/on.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 53!IARIA!NetWare!2014!)!TUTORIAL!2!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 54!IARIA!NetWare!2014!)!TUTORIAL!2!
In! Step! 1,! the! user! navigates! to! the! SP! to! access! a! protected!resource.! In! Steps! 2! and! 3,! Shibboleth! redirects! the! user! to! the!WAYF! page,! where! he! should! inform! his! IdP.! In! Step! 4,! the! user!enters!his!IdP,!and!Step!5!redirects!the!user!to!the!site,!which!is!the!component! HS! of! the! IdP.! In! Steps! 6! and! 7,! the! user! enters! his!authen/ca/on!data!and!in!Step!8!the!HS!authen/cate!the!user.!The!HS!creates!a!handle!to!iden/fy!the!user!and!sends!it!also!to!the!AA.!Step!9!sends!that!user!authen/ca/on!handle!to!AA!and!to!ACS.!The!handle!is!checked!by!the!ACS!and!transferred!to!the!AR,!and!in!Step!10! a! session! is! established.! In! Step! 11! the! AR! uses! the! handle! to!request!user!aeributes!to!the! IdP.!Step!12!checks!whether!the! IdP!can!release!the!aeributes!and!in!Step!13!the!AA!responds!with!the!aeribute!values.!In!Step!14!the!SP!receives!the!aeributes!and!passes!them!to!the!RM,!which!loads!the!resource!in!Step!15!to!present!to!the!user.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 55!IARIA!NetWare!2014!)!TUTORIAL!2!
Federated!Mul/)Tenancy!Authoriza/on!System!on!Cloud!
• IdM! can! be! implemented! in! several! different!types!of!configura/on:!– IdM!can!be!implemented!in)house;!– IdM! itself! can! be! delivered! as! an! outsourced!service.!This!is!called!Iden/ty!as!a!Service!(IDaaS);!
– Each!cloud!SP!may!independently!implement!a!set!of!IdM!func/ons.!!
• In! this! work,! it! was! decided! to! use! the! first!case!configura/on:!in)house.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 56!IARIA!NetWare!2014!)!TUTORIAL!2!
Configura/ons!of!IDM!systems!on!cloud!compu/ng!environments!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 57!IARIA!NetWare!2014!)!TUTORIAL!2!
Federated!Mul/)Tenancy!Authoriza/on!System!on!Cloud!
• This!work!presents! an!authoriza/on!mechanism! to!be!used!by!an!academic! ins/tu/on! to! offer! and! use! the! services! offered! in! the!cloud.!
• The! part! of! the! management! system! responsible! for! the!authen/ca/on!of!iden/ty!will!be!located!in!the!client!organiza/on.!
• The! communica/on! with! the! SP! in! the! cloud! (Cloud! Service!Provider,!CSP)!will!be!made!through!iden/ty!federa/on.!
• The!access!system!performs!authoriza/on!or!access!control! in! the!environment.!!
• The!ins/tu/on!has!a!responsibility!to!provide!the!user!aeributes!for!the!deployed!applica/on!SP!in!the!cloud.!
• The!authoriza/on!system!should!be!able!to!accept!mul/ple!clients,!such!as!a!mul/)tenancy.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 58!IARIA!NetWare!2014!)!TUTORIAL!2!
Scenario!• A! service! is! provided! by! an! academic! ins/tu/on!in! a! CSP,! and! shared! with! other! ins/tu/ons.! In!order! to! share! services! is! necessary! that! an!ins/tu/on!is!affiliated!to!the!federa/on.!
• For! an! ins/tu/on! to! join! the! federa/on! it! must!have! configured! an! IdP! that! meets! the!requirements!imposed!by!the!federa/on.!!
• Once! affiliated! with! the! federa/on,! the!ins/tu/on! will! be! able! to! authen/cate! its! own!users,! since!authoriza/on! is! the! responsibility!of!the!SP.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 59!IARIA!NetWare!2014!)!TUTORIAL!2!
Scenario!)!Academic!Federa/on!sharing!services!in!the!cloud!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 60!IARIA!NetWare!2014!)!TUTORIAL!2!
Implementa/on!of!the!Proposed!Scenario!
• A!SP!was!primarily!implemented!in!the!cloud:!– an! Apache! server! on! a! virtual! machine! hired! by!the!Amazon!Web!Services!cloud.!
– Installa/on!of!the!Shibboleth!SP.!– Installa/on!of! !DokuWiki,!which! is!an!applica/on!that! allows! the! collabora/ve! edi/ng! of!documents.!
– The! SP! was! configured! with! authoriza/on! via!applica/on,! to! differen/ate! between! common!users!and!administrators!of!Dokuwiki.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 61!IARIA!NetWare!2014!)!TUTORIAL!2!
Implementa/on!of!the!Proposed!Scenario!–!Cloud!Service!Provider!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 62!IARIA!NetWare!2014!)!TUTORIAL!2!
Implementa/on!of!the!Proposed!Scenario!–!cloud!IdP!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 63!IARIA!NetWare!2014!)!TUTORIAL!2!
Implementa/on!of!the!Proposed!Scenario!
• The! JASIG! CAS! Server! was! used! to! perform! user!authen/ca/on! through! login! and! password,! and! then!passes!the!authen/cated!users!to!Shibboleth.!
• The!CAS!has!been! configured! to! search! for!users! in! a!Lightweight! Directory! Access! Protocol! (LDAP).! To! use!this! directory! OpenLDAP! was! installed! in! another!virtual!machine,!also!running!on!Amazon's!cloud.!
• To!demonstrate!the!use!of!SP!for!more!than!one!client,!another!IdP!was!implemented,!also!in!cloud,!similar!to!the! first.! To! support! this! task! Shibboleth! provides! a!WAYF!component.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 64!IARIA!NetWare!2014!)!TUTORIAL!2!
Analysis!and!Test!Results!within!Scenario!
• In!this!resul/ng!structure,!each!IdP!is!represented!in!a!private!cloud,!and!the!SP!is!in!a!public!cloud.!
The!results!highlighted!two!main!use!cases:!• Read6access6to6documents6• Access6for6edi/ng6documents6
NOVEMBER!16TH,!LISBON,!PORTUGAL! 65!IARIA!NetWare!2014!)!TUTORIAL!2!
Conclusions!
• The!use!of!federa/ons!in!IdM!plays!a!vital!role.!• This!work!was!aimed!at!an!alterna/ve!solu/on!to!a! IDaaS.! IDaaS! is!controlled!and!maintained!by!a!third!party.!
• The! infrastructure! obtained! aims! to:! (1)! be! an!independent! third! party,! (2)! authen/cate! cloud!services! using! the! user's! privacy! policies,!providing! minimal! informa/on! to! the! SP,! (3)!ensure! mutual! protec/on! of! both! clients! and!providers.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 66!IARIA!NetWare!2014!)!TUTORIAL!2!
Conclusions!• This! paper! highlights! the! use! of! a! specific! tool,!Shibboleth,!which! provides! support! to! the! tasks!of! authen/ca/on,! authoriza/on! and! iden/ty!federa/on.!
• Shibboleth!was!very!flexible!and! it! is!compa/ble!with!interna/onal!standards.!
• It!was!possible! to!offer!a! service!allowing!public!access! in! the! case! of! read)only! access,! while! at!the! same! /me! requiring! creden/als! where! the!user! must! be! logged! in! order! to! change!documents.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 67!IARIA!NetWare!2014!)!TUTORIAL!2!
Future!Work!• We!propose!an!alterna/ve!authoriza/on!method,!where! the! user,! once! authen/cated,! carries! the!access! policy,! and! the! SP! should! be! able! to!interpret!these!rules.!
• The! authoriza/on! process! will! no! longer! be!performed!at!the!applica/on!level.!
• Expanding! the! scenario! to! represent! new! forms!of!communica/on.!
• Create!new!use!cases!for!tes/ng.!!• Use!pseudonyms!in!the!CSP!domain.!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 68!IARIA!NetWare!2014!)!TUTORIAL!2!
Some!References!- E. Bertino, and K. Takahashi, Identity Management - Concepts, Technologies, and Systems. ARTECH HOUSE, 2011. - “Security Guidance for Critical Areas of Focus in Cloud C o m p u t i n g , ” C S A . O n l i n e a t : h t t p : / /www.cloudsecurityalliance.org. - “Domain 12: Guidance for Identity and Access Management V2.1.,” Cloud Security Alliance. - CSA. Online at: https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf. - D. W. Chadwick, Federated identity management. Foundations of Security Analysis and Design V, Springer-Verlag: Berlin, Heidelberg 2009 pp. 96–120. NOVEMBER!16TH,!LISBON,!PORTUGAL! 69!IARIA!NetWare!2014!)!TUTORIAL!2!
Some!References!- A. Albeshri, and W. Caelli, “Mutual Protection in a Cloud Computing environment,” Proc. 12th IEEE Intl. Conf. on High Performance Computing and Communications (HPCC 10), pp. 641-646. - R. Ranchal, B. Bhargava, A. Kim, M. Kang, L. B. Othmane, L. Lilien, and M. Linderman, “Protection of Identity Information in Cloud Computing without Trusted Third Party,” Proc. 29th IEEE Intl. Symp. on Reliable Distributed Systems (SRDS 10), pp. 368–372. - P. Angin, B. Bhargava, R. Ranchal, N. Singh, L. B. Othmane, L. Lilien, and M. Linderman, “An Entity-Centric Approach for Privacy and Identity Management in Cloud Computing,” Proc. 29th IEEE Intl. Symp. on Reliable Distributed Systems (SRDS 10), pp. 177–183. NOVEMBER!16TH,!LISBON,!PORTUGAL! 70!IARIA!NetWare!2014!)!TUTORIAL!2!
71!
A!Vision!of!Privacy!on!Iden/ty!Management!Systems!!
!!
NOVEMBER!16TH,!LISBON,!PORTUGAL! 71!IARIA!NetWare!2014!)!TUTORIAL!2!
BackgroundChallenges
ConclusionsReferences
Agenda
1 BackgroundPrivacyIdentity managementFederation
2 Challenges
3 Conclusions
4 References
2 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Privacy
DefinitionIt is a fundamental human right [2]It is the control of release of personal data [1]It should be a vital characteristic of computingsystems
3 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Privacy/Characteristics
Characteristics of privacy [3]UndetectabilityUnlinkabilityConfidentiality
4 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Privacy/Paradigms
Paradigms of privacy [4]Privacy as a controlPrivacy as confidentialityPrivacy as practice
5 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Privacy
Legislation to protect users’ privacyData Protection Directive – Europe [5]Health Insurance Portability and Accountability Act(HIPAA) – USA [6]Gramm-Leach-Bliley Act – USA [7]The Internet Bill of Rights – Brazil [8]
Legislations main goalProtect users against unwilling data disclosure andprocessing
6 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Identity management/Access control model
Attribute Based Access Control (ABAC)Attributes are properties/characteristics of entitiesIt uses attributes relevant for the request contextIt evaluates rules against attributes of entities
7 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Fundamentos/Identities
Identity definitionSet of attributes that represent a user or a systemAlso known as personally identifiable information (PII)
Example
Attribute ValueID 11111010101
Name JohnLast name Smith
SSN 403289440email [email protected] manager
... ... 8 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Identity management
DefinitionThe process of managing users’ identity attributes [9]It deal with collection, authentication, and use ofidentities’ attributesIt provides means to create, manage and useidentitiesAllows single sign on (SSO) and single log out (SLO)
9 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Identity management
Roles in Identity management systems (IMS) [10]UsersIdentityIdentity provider (IdP)Service provider (SP)
10 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Identity management/Credentials
Credential definitionAttributes used to authenticate a user a single usere.g. a par of login and password, biometrics or digitalcertificates
11 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Identity management/Basic processes
AuthenticationPerformed at the IdPIt uses a credential to confirm identity
AuthorizationMostly performed at the SPIt uses users’ attributes sent from the IdP to SPSP deliberates about the resource delivery
12 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Identity management environment
Single administrative domain
13 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Federation
DefinitionAn association of service providers and identityprovidersIt allows users to access resources in multipleadministrative domains (ADs)Users authenticate with their home AD
14 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Federation/picture
Multiple ADs
15 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Federation/technologies
Exchange data formatSecurity Assertion Markup Language (SAML)OpenId Connect (JSON)
16 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Federation/technologies
Frameworks/toolsAuthentic 2Higgins (Personal Data Service)OpenAMOpenId connectPing federateShibboleth
17 / 31
BackgroundChallenges
ConclusionsReferences
PrivacyIdentity managementFederation
Federation/technologies
Frameworks characteristics
ProjectOpen
Source?Has a
protocolOwner Data format Who uses
Shibboleth Yes No Internet2 SAML 1/2 Academia
OpenAM Yes No ForgeRockSAML 1/2,
OpenId ConnectIndustry
Authentic 2 Yes No Entr’ouvert SAML 2, OpenID 1/2Low
adherence
OpenID Connect Yes Yes OpenIDOpenId Connect
(Json)Industry/academy
Higgins Yes No Eclipse SAMLLow
adherencePing Federate No No PingIdentity SAML e OpenID Industry
18 / 31
BackgroundChallenges
ConclusionsReferences
Cloud challenges
Cloud challengesData managementData securityData privacy
19 / 31
BackgroundChallenges
ConclusionsReferences
Challenges on IMS
Lack of user control over PIIs stored on IdPAttributes stored out of user’s boundariesAdministrators with permissions and means toaccess user’s attributesAttributes vulnerable to unwilling access anddisclosure
20 / 31
BackgroundChallenges
ConclusionsReferences
Challenges on IMS
Awareness of disclosure processUsers are the owners of their attributeThey must know which data is being disclosedThe should be able to select/unselect any attribute
21 / 31
BackgroundChallenges
ConclusionsReferences
Challenges on IMS
Awareness of disclosure process
22 / 31
BackgroundChallenges
ConclusionsReferences
Challenges on IMS
Absence of disclosure support during disseminationprocess
The dissemination process is a complex taskThe amount of attributes and its combination is hugeUsers do not have know-how to decide which set ofattributes can bring more or less risk
23 / 31
BackgroundChallenges
ConclusionsReferences
Challenges on IMS
Absence of disclosure support during disseminationprocess
24 / 31
BackgroundChallenges
ConclusionsReferences
Challenges on IMS
Lack of means to control disclosed attributesCan the SP store the attributes? for how long?Can it be disseminated to third parties?Attributes control enforcement on SPs is a hardproblem to solveThe use of policies with the disclosed attributes canbring some light to this problemThe use of policies brings up another problem. Thepolicy enforcement on SPs
25 / 31
BackgroundChallenges
ConclusionsReferences
ConclusionsThere are no definitive answers for the present issues(for now)Privacy of attributes on IMS is a recent topicMechanisms to provide effective control of attributesfor users are still open for debatesDisclosure support methods should be carefullystudied and added to IMSPolicy enforcement on SPs is an open problem tosolve
26 / 31
BackgroundChallenges
ConclusionsReferences
Our work
We are researching methods:To provide users with control and privacy on attributesTo assure privacy of attributes between providersinteractions (SP-IdP, SP-SP)Support for users during the disclosure process
27 / 31
BackgroundChallenges
ConclusionsReferences
Our work
FundingBrazilian Funding Authority for Studies and Projects(FINEP)
ProjectBrazilian National Research Network in Security andCryptography project (RENASIC)Conducted at Federal University of Santa Catarina(UFSC) in the Networks and Management laboratory(LRG).
28 / 31
BackgroundChallenges
ConclusionsReferences
The end
Discussion momentQuestionsDoubtsDiscussions
29 / 31
BackgroundChallenges
ConclusionsReferences
References I
[1] Landwehr, Carl and Boneh, Dan and Mitchell, John C and Bellovin, Steven M and Landau, Susan and Lesk,
Michael E.
Privacy and cybersecurity: The next 100 years.
Proceedings of the IEEE, Special Centennial Issue, 2012.
[2] Lauterpacht, Hersch.
The Universal Declaration of Human Rights.
Journal Brit. YB Int’l L., 1948.
[3] Birrell, Eleanor and Schneider, Fred B
Federated identity management systems: A privacy-based characterization.
IEEE security & privacy. 2013.
[4] Diaz, Claudia and Gurses, Seda
Understanding the landscape of privacy technologies.
Extended abstract of invited talk in proceedings of the Information Security Summit. 2012.
[5] Directive, EU
95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data.
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
30 / 31
BackgroundChallenges
ConclusionsReferences
References II
[6] United States Congress
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996.
http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/html/PLAW-104publ191.htm
[7] United States Congress
GRAMM-LEACH-BLILEY ACT.
http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/html/PLAW-106publ102.htm
[8] Civil, Casa
Lei No12.965, DE 23 abril de 2014.
http://www.planalto.gov.br/ccivil 03/ ato2011-2014/2014/lei/l12965.htm
[9] Chadwick, David W
Federated identity management.
Foundations of Security Analysis and Design V.
[10] Bertino, Elisa and Takahashi, Kenji
Identity Management: Concepts, Technologies, and Systems.
Artech House.
31 / 31
72#
Risk(based#Access#Control#Architecture#for#Cloud#
Compu:ng#
NOVEMBER#16TH,#LISBON,#PORTUGAL# 72#IARIA#NetWare#2014#(#TUTORIAL#2#
Agenda• Introduction
• Related work
• Risk-based access control
• Proposed architecture
• Implementation and experiments
• Conclusion and future work
Introduction• Cloud computing is a successful paradigm and cloud
federations aim to make it even more efficient and scalable by sharing resources among providers
• In highly distributed, dynamic and heterogeneous environments, traditional access control models present problems, such as: scalability, flexibility and the use of static policies
• Dynamic access control models, like risk-based, provide greater flexibility and are able to handle exceptional requests (“break the glass”)
Introduction• We present a model for dynamic risk-based access
control for cloud computing
• The system uses quantification and aggregation of risk metrics that are defined in risk policies, which are created by the owners of the cloud resources
• It is built on top on an XACML architecture and allows the use of ABAC coupled with risk analysis
Related Work• Fall et al. [1] - presents the first idea of risk-based
AC for cloud. Propose using NSA RAdAC, but show no implementation
• Arias-Cabarcos et al. [2] - proposes the use of a fixed set of risk metrics for establishing identity federations in the cloud
• Sharma et al. [3] - uses risk-based AC on top of RBAC for cloud e-Health. Their model has 3 metrics (Confidentiality, Integrity and Availability)
Risk-based Access Control• Traditional access control models employ static
authorization, i.e., every decision is pre-established, based on the policies
• The idea behind dynamic access control is that the access requests must be analyzed taking into account contextual and environmental information such as security risk, operational need, benefit and others
• Real applications may require the violation of security policies, and the support for exceptional access requests is known as “break the glass”
Risk-based Access Control• Uses a function that evaluates in “real time” each
request
• Risk analysis can be qualitative, with levels of risk, or quantitative, where risk is usually defined as: Probability X Impact
• Many approaches to risk quantification: fuzzy logic, machine learning, probabilistic inference, … • usually based on the history of users and access
Proposed Architecture• XACML extension. ABAC and risk-based are taken in parallel and
then combined to reach a final decision. • Combination rules: Deny overrides, Permit overrides, ABAC
precedence, Risk precedence
• Risk decision is based on XML risk policies associated to a resource. A policy defines a set of risk metrics, how to quantify and aggregate them and an acceptable risk threshold
• Quantification and aggregation methods can be local (in the CSP) or external, defined by the resource owner as a web service
• The CSP has a basic risk policy, defining the maximum risk level accepted by it
Overview
Decision process
Case study - cloud federation
• Identity and Access Management is a big challenge when setting up a cloud federation
• It involves a notion of trust, which is usually mediated by an identity federation, this has two major issues: • trust agreements and interoperability
• To decrease the level of trust needed among participating clouds, we incorporate the notion of risk
• Also, interoperability may be increased, because a missing attribute in a message may also be considered as a risk factor, instead of stopping communication
Case study - cloud federation
Considerations• The architecture allows a flexible AC system
• Risk analysis may be too subjective • The support of Obligations is essential
• Risk policies allow the use of many risk metrics, using diverse quantification and aggregation methods from different sources
• The main limitation is the performance overhead due to the processing of the risk policies and the quantification of the risk metrics
Implementation• Three stages:
• Access control architecture; Cloud federation; Risk quantification and aggregation methods
• Python, ndg-xacml, ZeroMQ, web.py, peewee, MySQL, OpenNebula
• Two risk policies implemented for tests: • Sharma et al. [3] : ((a * p1) + (i * p2) + (c * p3) +
pastScore) !
• Britton and Brown [4] : 27 metrics
Experiments - risk policy<rp:risk-policy version="1.0" xmlns:rp="http://inf. ufsc.br/~danielrs"> <rp:resource id="1"/><rp:user id="1"/> <rp:metric-set name="sharma2012"> <rp:metric> <rp:name>Confidentiality</rp:name> <rp:quantification>https://localhost:8443/quantify-conf</rp:quantification> </rp:metric> <rp:metric> <rp:name>Availability</rp:name> <rp:quantification>https://localhost:8443/quantify-avail</rp:quantification> </rp:metric> <rp:metric> <rp:name>Integrity</rp:name> <rp:quantification>https://localhost:8443/quantify-int</rp:quantification> </rp:metric> </rp:metric-set> <rp:aggregation-engine>https://localhost:8443/aggregate</rp:aggregation-engine> <rp:risk-threshold>1.5</rp:risk-threshold> </rp:risk-policy>
Experiments
</rp:metric>
<rp:metric>
<rp:name>Integrity</rp:name>
<rp:quantification>https://
localhost:8443/quantify-int</
rp:quantification>
</rp:metric>
</rp:metric-set>
<rp:aggregation-engine>https://localhost:8443/
aggregate</rp:aggregation-engine>
<rp:risk-threshold>1.5</rp:risk-threshold>
</rp:risk-policy>
A. Example of use
To illustrate the operation of the implementation we de-scribe an example of use. In this example, we consider onlyone CSP that stores and instantiates the resources of its users.
Suppose that Alice instantiates a virtual machine (VM) inthis CSP and decides that it accepts risk-based access control,which is supported by the CSP. She then defines an XACMLpolicy, a risk policy and a combination rule for this VM. Inthe XACML policy, Alice defines two types of access: (i) sheand users who belong to her group of friends can view themachine; and (ii) only she can edit or delete the machine. Allof the other actions, for all of the other users are forbidden.As risk policy, Alice uses the implementation of Sharma et al.[34], which consider metrics for Confidentiality, Integrity andAvailability.
Suppose that there are two more users in this CSP: Bob,who is in the group of Alice’s friends and Charlie, who is not.Considering the XACML access control, when Alice tries toaccess the machine for any action, her access is granted; whenBob tries to access the machine, he has the access granted forviewing, but not for editing or deleting; Charlie has the accessdenied for any action. Considering risk, the result is the samefor any user because in the implementation the past risk scorewas fixed in 1 for every user.
Let us explore an access decision for Charlie’s request toview Alice’s VM. The request comes to the PEP and is sent tothe PDP. At this moment the XACML PDP and the risk engineare called. In this case, the XACML decision would be DENY.The risk decision is based on the action chosen (viewing) andthe fact that the resource is sensitive. Thus, the impact resultswould be: 0 for availability (a), 0 for integrity (i) and 1 forconfidentiality (c) [34]. Since we have no history to base ourcalculations, let us consider the probability of occurrence ofevery result as 0.33 and the past risk score of every user as 1.The aggregated risk would then be:
((a * p1) + (i * p2) + (c * p3) + pastScore) = ((0 * 0.33)+ (0 * 0.33) + (1 * 0.33) + 1) = 1.33
Since the risk score (1.33) is lower than the thresholddefined in the policy (1.5), the risk decision is PERMIT. Thefinal result depends on the combination rule being used. Ifthe rule is Permit Overrides or Risk Precedence, the result isPERMIT, otherwise it is DENY.
B. Experiments
To test the implementation, we used VMs instantiated inAmazon EC2. These machines have 1.7 GB of RAM, 160GB
of storage and a CPU that corresponds to a 1.2GHz Xeon.Three sets of experiments were performed. The first set isa comparison among different access control policies. Thesecond set is an evaluation of the number of metrics in a givenpolicy and the third, an evaluation of the influence of localand external metrics in the same policy. All of the times arein milliseconds (ms).
The results of the first set of experiments are shown inTable I, which presents the time spent to reach an accessdecision using three different policies: (i) only XACML; (ii)XACML + the policy of [34]; and (iii) XACML + [33]. All ofthe quantification and aggregation functions are implementedlocally. The increasing time is due to an increasing number ofmetrics.
TABLE I. PERFORMANCE OF RISK POLICIES
Policy min. (ms) max. (ms) avg (ms)XACML 0.925 4.278 1.040XACML+[34] 1.986 11.973 2.436XACML+[33] 4.395 14.234 5.352
In the second set of experiments, we used a risk policywith a varying number of metrics, all quantified locally. Allof the metrics just returned random values, so we could get aperformance result based only on the number of metrics andnot on the complexity of each metric. Table II shows the resultsof this set of experiments.
TABLE II. PERFORMANCE WITH A VARYING NUMBER OF METRICS
Number of metrics min. (ms) max. (ms) avg (ms)1 1.832 12.130 2.24310 2.612 12.876 3.171100 10.922 60.442 14.0301000 96.041 175.245 121.38310000 1168.511 1517.364 1361.025
Increasing the number of local metrics impacts the perfor-mance of the system, however, this impact can be toleratedeven with a huge number of metrics (10000). It is importantto notice that the impact on performance is due more to theprocessing of the XML file containing the policy than to theprocessing of the metrics.
In the third set of experiments, we used a risk policycontaining 10 policies which, as before, return random riskvalues. In this set, four kinds of policies were defined. CaseA represents 10 requests handled only by local XACML;case B represents 10 local risk quantification metrics; case Crepresents 5 local and 5 remote metrics (web services); andcase D represents a risk policy with 10 remote metrics. Inevery case the aggregation rule is local. Table 3 shows theresults obtained in each case.
TABLE III. PERFORMANCE WITH LOCAL AND EXTERNAL METRICS
Case min. (ms) max. (ms) avg (ms)A 1.057 9.372 1.46B 1.824 15.564 4.574C 1556.182 2813.56 1726.71D 3247.563 10350.5 4220.6
It is easy to notice that the use of web services heavilyimpacts performance and that the use of 10 remote metricsis already impracticable for an access control system. Finally,
</rp:metric>
<rp:metric>
<rp:name>Integrity</rp:name>
<rp:quantification>https://
localhost:8443/quantify-int</
rp:quantification>
</rp:metric>
</rp:metric-set>
<rp:aggregation-engine>https://localhost:8443/
aggregate</rp:aggregation-engine>
<rp:risk-threshold>1.5</rp:risk-threshold>
</rp:risk-policy>
A. Example of use
To illustrate the operation of the implementation we de-scribe an example of use. In this example, we consider onlyone CSP that stores and instantiates the resources of its users.
Suppose that Alice instantiates a virtual machine (VM) inthis CSP and decides that it accepts risk-based access control,which is supported by the CSP. She then defines an XACMLpolicy, a risk policy and a combination rule for this VM. Inthe XACML policy, Alice defines two types of access: (i) sheand users who belong to her group of friends can view themachine; and (ii) only she can edit or delete the machine. Allof the other actions, for all of the other users are forbidden.As risk policy, Alice uses the implementation of Sharma et al.[34], which consider metrics for Confidentiality, Integrity andAvailability.
Suppose that there are two more users in this CSP: Bob,who is in the group of Alice’s friends and Charlie, who is not.Considering the XACML access control, when Alice tries toaccess the machine for any action, her access is granted; whenBob tries to access the machine, he has the access granted forviewing, but not for editing or deleting; Charlie has the accessdenied for any action. Considering risk, the result is the samefor any user because in the implementation the past risk scorewas fixed in 1 for every user.
Let us explore an access decision for Charlie’s request toview Alice’s VM. The request comes to the PEP and is sent tothe PDP. At this moment the XACML PDP and the risk engineare called. In this case, the XACML decision would be DENY.The risk decision is based on the action chosen (viewing) andthe fact that the resource is sensitive. Thus, the impact resultswould be: 0 for availability (a), 0 for integrity (i) and 1 forconfidentiality (c) [34]. Since we have no history to base ourcalculations, let us consider the probability of occurrence ofevery result as 0.33 and the past risk score of every user as 1.The aggregated risk would then be:
((a * p1) + (i * p2) + (c * p3) + pastScore) = ((0 * 0.33)+ (0 * 0.33) + (1 * 0.33) + 1) = 1.33
Since the risk score (1.33) is lower than the thresholddefined in the policy (1.5), the risk decision is PERMIT. Thefinal result depends on the combination rule being used. Ifthe rule is Permit Overrides or Risk Precedence, the result isPERMIT, otherwise it is DENY.
B. Experiments
To test the implementation, we used VMs instantiated inAmazon EC2. These machines have 1.7 GB of RAM, 160GB
of storage and a CPU that corresponds to a 1.2GHz Xeon.Three sets of experiments were performed. The first set isa comparison among different access control policies. Thesecond set is an evaluation of the number of metrics in a givenpolicy and the third, an evaluation of the influence of localand external metrics in the same policy. All of the times arein milliseconds (ms).
The results of the first set of experiments are shown inTable I, which presents the time spent to reach an accessdecision using three different policies: (i) only XACML; (ii)XACML + the policy of [34]; and (iii) XACML + [33]. All ofthe quantification and aggregation functions are implementedlocally. The increasing time is due to an increasing number ofmetrics.
TABLE I. PERFORMANCE OF RISK POLICIES
Policy min. (ms) max. (ms) avg (ms)XACML 0.925 4.278 1.040XACML+[34] 1.986 11.973 2.436XACML+[33] 4.395 14.234 5.352
In the second set of experiments, we used a risk policywith a varying number of metrics, all quantified locally. Allof the metrics just returned random values, so we could get aperformance result based only on the number of metrics andnot on the complexity of each metric. Table II shows the resultsof this set of experiments.
TABLE II. PERFORMANCE WITH A VARYING NUMBER OF METRICS
Number of metrics min. (ms) max. (ms) avg (ms)1 1.832 12.130 2.24310 2.612 12.876 3.171100 10.922 60.442 14.0301000 96.041 175.245 121.38310000 1168.511 1517.364 1361.025
Increasing the number of local metrics impacts the perfor-mance of the system, however, this impact can be toleratedeven with a huge number of metrics (10000). It is importantto notice that the impact on performance is due more to theprocessing of the XML file containing the policy than to theprocessing of the metrics.
In the third set of experiments, we used a risk policycontaining 10 policies which, as before, return random riskvalues. In this set, four kinds of policies were defined. CaseA represents 10 requests handled only by local XACML;case B represents 10 local risk quantification metrics; case Crepresents 5 local and 5 remote metrics (web services); andcase D represents a risk policy with 10 remote metrics. Inevery case the aggregation rule is local. Table 3 shows theresults obtained in each case.
TABLE III. PERFORMANCE WITH LOCAL AND EXTERNAL METRICS
Case min. (ms) max. (ms) avg (ms)A 1.057 9.372 1.46B 1.824 15.564 4.574C 1556.182 2813.56 1726.71D 3247.563 10350.5 4220.6
It is easy to notice that the use of web services heavilyimpacts performance and that the use of 10 remote metricsis already impracticable for an access control system. Finally,
</rp:metric>
<rp:metric>
<rp:name>Integrity</rp:name>
<rp:quantification>https://
localhost:8443/quantify-int</
rp:quantification>
</rp:metric>
</rp:metric-set>
<rp:aggregation-engine>https://localhost:8443/
aggregate</rp:aggregation-engine>
<rp:risk-threshold>1.5</rp:risk-threshold>
</rp:risk-policy>
A. Example of use
To illustrate the operation of the implementation we de-scribe an example of use. In this example, we consider onlyone CSP that stores and instantiates the resources of its users.
Suppose that Alice instantiates a virtual machine (VM) inthis CSP and decides that it accepts risk-based access control,which is supported by the CSP. She then defines an XACMLpolicy, a risk policy and a combination rule for this VM. Inthe XACML policy, Alice defines two types of access: (i) sheand users who belong to her group of friends can view themachine; and (ii) only she can edit or delete the machine. Allof the other actions, for all of the other users are forbidden.As risk policy, Alice uses the implementation of Sharma et al.[34], which consider metrics for Confidentiality, Integrity andAvailability.
Suppose that there are two more users in this CSP: Bob,who is in the group of Alice’s friends and Charlie, who is not.Considering the XACML access control, when Alice tries toaccess the machine for any action, her access is granted; whenBob tries to access the machine, he has the access granted forviewing, but not for editing or deleting; Charlie has the accessdenied for any action. Considering risk, the result is the samefor any user because in the implementation the past risk scorewas fixed in 1 for every user.
Let us explore an access decision for Charlie’s request toview Alice’s VM. The request comes to the PEP and is sent tothe PDP. At this moment the XACML PDP and the risk engineare called. In this case, the XACML decision would be DENY.The risk decision is based on the action chosen (viewing) andthe fact that the resource is sensitive. Thus, the impact resultswould be: 0 for availability (a), 0 for integrity (i) and 1 forconfidentiality (c) [34]. Since we have no history to base ourcalculations, let us consider the probability of occurrence ofevery result as 0.33 and the past risk score of every user as 1.The aggregated risk would then be:
((a * p1) + (i * p2) + (c * p3) + pastScore) = ((0 * 0.33)+ (0 * 0.33) + (1 * 0.33) + 1) = 1.33
Since the risk score (1.33) is lower than the thresholddefined in the policy (1.5), the risk decision is PERMIT. Thefinal result depends on the combination rule being used. Ifthe rule is Permit Overrides or Risk Precedence, the result isPERMIT, otherwise it is DENY.
B. Experiments
To test the implementation, we used VMs instantiated inAmazon EC2. These machines have 1.7 GB of RAM, 160GB
of storage and a CPU that corresponds to a 1.2GHz Xeon.Three sets of experiments were performed. The first set isa comparison among different access control policies. Thesecond set is an evaluation of the number of metrics in a givenpolicy and the third, an evaluation of the influence of localand external metrics in the same policy. All of the times arein milliseconds (ms).
The results of the first set of experiments are shown inTable I, which presents the time spent to reach an accessdecision using three different policies: (i) only XACML; (ii)XACML + the policy of [34]; and (iii) XACML + [33]. All ofthe quantification and aggregation functions are implementedlocally. The increasing time is due to an increasing number ofmetrics.
TABLE I. PERFORMANCE OF RISK POLICIES
Policy min. (ms) max. (ms) avg (ms)XACML 0.925 4.278 1.040XACML+[34] 1.986 11.973 2.436XACML+[33] 4.395 14.234 5.352
In the second set of experiments, we used a risk policywith a varying number of metrics, all quantified locally. Allof the metrics just returned random values, so we could get aperformance result based only on the number of metrics andnot on the complexity of each metric. Table II shows the resultsof this set of experiments.
TABLE II. PERFORMANCE WITH A VARYING NUMBER OF METRICS
Number of metrics min. (ms) max. (ms) avg (ms)1 1.832 12.130 2.24310 2.612 12.876 3.171100 10.922 60.442 14.0301000 96.041 175.245 121.38310000 1168.511 1517.364 1361.025
Increasing the number of local metrics impacts the perfor-mance of the system, however, this impact can be toleratedeven with a huge number of metrics (10000). It is importantto notice that the impact on performance is due more to theprocessing of the XML file containing the policy than to theprocessing of the metrics.
In the third set of experiments, we used a risk policycontaining 10 policies which, as before, return random riskvalues. In this set, four kinds of policies were defined. CaseA represents 10 requests handled only by local XACML;case B represents 10 local risk quantification metrics; case Crepresents 5 local and 5 remote metrics (web services); andcase D represents a risk policy with 10 remote metrics. Inevery case the aggregation rule is local. Table 3 shows theresults obtained in each case.
TABLE III. PERFORMANCE WITH LOCAL AND EXTERNAL METRICS
Case min. (ms) max. (ms) avg (ms)A 1.057 9.372 1.46B 1.824 15.564 4.574C 1556.182 2813.56 1726.71D 3247.563 10350.5 4220.6
It is easy to notice that the use of web services heavilyimpacts performance and that the use of 10 remote metricsis already impracticable for an access control system. Finally,
Experiments
Fig. 4. Time spent to reach an access decision
Figure 4 shows the growth in time spent to reach an accessdecision as the number of metrics increase. The X axis isthe number of metrics and the Y axis is the time spent inmilliseconds. The solid line with square markers is for localmetrics and the dashed line with circular markers is for remotemetrics.
C. Discussion
Measuring security is not easy and for access controlsystems it usually involves the definition of a set of possiblestates and the proof that in no configuration of states there isleaking of permissions [35]. Since there is no formal modelingfor risk-based access control, it is not possible to prove itscorrectness and, therefore, its security. This is why there areno experiments related to the security of the system presentedin this paper.
Hu et al. [35] recommend assessing an access controlsystem based on: administrative capacity and costs, policycoverage, extensibility and performance.
The proposed model is equivalent to XACML in termsof administrative capacity and costs, only adding the need tomanage risk policies. The coverage of policies and extensibilityof the system can be shown through the implementation ofmodels presented in related work. The performance of thesystem was evaluated quantitatively and we can draw someconclusions from the experiments. It can be seen that using thesystem with local metrics presents a satisfactory performanceand despite a performance decrease with a bigger number ofmetrics, this is expected and the system does not become inef-ficient. The use of external metrics, however, heavily impactsthe system, because of the time spent in HTTP communication.
V. RELATED WORK
Fall et al. [21] focus on the authorization problems createdby multi-tenancy in the cloud. The authors argue that tradi-tional access control models are static and not well suited tothe cloud, while risk-based models are dynamic and naturallyadapted to this environment. The authors propose using theNSA RAdAC model and identify some risk situations for thecloud. The paper introduces the concept of risk-based accesscontrol for cloud computing, but shows no implementation.
Arias-Cabarcos et al. [36] describe current issues in FIMon cloud and propose using risk analysis to allow dynamic
federations. The authors propose using risk metrics to quantifyand aggregate risk and present a taxonomy of risk metricsconsidering pre-federation and post-federation stages. There isan example of use and the method is detailed. The proposal,however, considers a fixed set of metrics, not allowing usersor providers to define their metrics.
Sharma et al. [34] show a risk-based access control modelfor cloud e-health. According to the authors, RBAC does nottake into account uncertainty and risk, thus being unsuited forthe cloud. The paper presents a prototype implementation con-sidering three metrics: confidentiality, availability and integrity.In the model, every task to be accomplished in the systemis sent to the cloud, where a risk score is attributed to it.The model is implemented on top of RBAC, so it uses roledelegation along with the risk analysis.
Britton and Brown [33] present a quantification methodfor the NSA RAdAC model. In their proposed model, 27metrics are divided in 6 categories, evaluated for every accessrequest and aggregated to achieve a measure of the totalsecurity risk. Their risk definition considers both probabilityand impact as high, medium or low. They employ a triangularprobability distribution and a Monte Carlo simulation to findthe probability of each event, which is then multiplied by aweight attributed by experts to each metric. Since it is a methodfor military applications, some metrics are not suitable for ageneral cloud application.
Several works describe authentication and authorization indifferent cloud federation models [37, 38, 39, 31].
This work is an improvement on our previous work [32],which focused on the application of a similar model to cloudfederations. In the present work, the model has been revisedand we present new experiments and a greater analysis anddiscussion of the model.
VI. CONCLUSION
The development of access control systems for cloudcomputing is of great importance, because these systems arefundamental to enable the security of these environments.
Traditional access control models, currently implementedin most cloud solutions are not enough to ensure the securityof these environments when it is necessary to have a greaterflexibility to enable efficient information sharing in criticalsituations.
Risk-based access control models are an alternative and,despite the fact that there are proposals in the literature for itsuse in the cloud, they are very specific to a given situation,disallowing its application in a more general context and thereis no reference architecture that allows its extension.
This paper presented a dynamic risk-based access controlarchitecture for cloud computing, with an application to cloudfederations. The architecture is built as an XACML extension,adding flexibility for resource and information sharing in adynamic environment such as the cloud, while keeping thedistribution and scalability features. The architecture is basedon the use of risk policies, which describe the risk metricsconsidered most important by users and providers.
Conclusion• AC systems for the cloud are of great importance and traditional
AC models are not enough for the cloud
• Risk-based AC tend to be very specific to a given scenario, we tried to make it more general, to be applied in a CSP
• We presented, implemented and evaluated the performance of our architecture
• As future work, we would like to: integrate the architecture into a mature cloud federation project; implement other risk quantification methods; improve the performance of external metrics (caching, concurrent requests, …); and develop a reference set of risk metrics for the cloud
References• [1] D. Fall, G. Blanc, T. Okuda, Y. Kadobayashi, and S. Yamaguchi, “Toward
Quantified Risk-Adaptive Access Control for Multi-tenant Cloud Computing,” in Proceedings of the 6th Joint Workshop on Information Security, October 2011.
• [2] P. Arias-Cabarcos, F. Almenárez-Mendoza, A. Marín- López, D. Díaz-Sánchez, and R. Sánchez-Guerrero, “A metric-based approach to assess risk for “on cloud” federated identity management,” Journal of Network and Systems Management, vol. 20, pp. 513–533, 2012.
• [3] M. Sharma, Y. Bai, S. Chung, and L. Dai, “Using risk in access control for cloud-assisted ehealth,” in IEEE 14th International Conference on High Performance Comput- ing and Communication, 2012, 2012, pp. 1047–1052.
• [4] D. Britton and I. Brown, A security risk measurement for the RAdAC model, 2007.
73#
RAClouds#–#Risk#Analysis##for#Clouds#
NOVEMBER#16TH,#LISBON,#PORTUGAL# 73#IARIA#NetWare#2014#K#TUTORIAL#2#
• Introduction
• Related Work
• Approach of the Proposed Solution
Introduction
• The safety evaluation of providers is a big challenge for CCs (CSA, 2011)
• Risk analysis includes (ISO 27005, 2011): – Identification of the need for controls – Evaluation of the efficiency of controls
Introduction
• Risk Analysis can assist the CC – for the selection and maintenance of your CSP
• But consider: – Business requirements – Broad scope of risk – Regardless of CSP
Introduction
• The lack of these principles generates: – Disregard the requirements of the client's
business – Limited selection of possible security
requirements – Customer distrust regarding disclosure of
risks encountered
Introduction
• Propose a computational model in which a CC (consumer cloud) can perform risk analysis in a CSP (Cloud Service Proveder) so:
– Adherent (needs CC); – Comprehensive (proper scope); – Independent (relative to CSP)
Related Work
• Dey (2013): integration with mobile devices;
• Zhou (2013): performance testing;
• Kolluru (2013): Client connection to the cloud;
• Lor (2012): applications in federations of clouds;
Related Work
• Grobauer (2012): Mapping specific vulnerabilities of cloud computing;
• Rot (2013): Study of threats in the cloud;
• Luna (2012): SLAs for cloud security;
• Bleikertz (2013): assessment by the CC;
• Grezele (2013): risks related to cloud database;
Related Work
• Ristov (2012): Risk analysis based on ISO 27001;
• Ristov (2013): Risk Analysis for OpenStack, Eucalyptus, OpenNebula and CloudStack environment;
• Mirkovié (2013): ISO 27001 controls the cloud;
• Bhensook (2012) and Ullah (2013):
– Effort CSA for safety assessment
– CloudAudit model
– Based on ISO 27001
Related Work
• Hale (2012): SecAgreement for monitoring security metrics;
• Zech (2012): Risk analysis of external interfaces; • Wang (2012): analysis of risk based CVE; • Khosravani (2013): a case study of the
requirements of CC; • Lenkala (2013): metrics for risk analysis in the
cloud; • Liu (2013): Risk assessment in virtual machines;
Proposed Solution
Proposed Solution
• Agent ISL: – Definition of threats and vulnerabilities – Risk describes a descriptor using RDL - Risk
Definition Languagem – Specifies the form of risk assessment through a
WSRA - Risk Analyser WebService – RDLs and provides WSRAs for RACloud
Proposed Solution
• Agent CC: – Definition of information assets – Complements the RDL with the impact of
information – Provides extension to the RDL RACloud – Start the assessment and receive results
Proposed Solution
• CSP Agent: – Imports RDLs RACloud – Implements calls to WSRAs – Make the Call of risk assessments of ISLs
Proposed Solution
Proposed Solution
Proposed Solution
Proposed Solution
Proposed Solution
• Model is organized into:
– Specification phase: environmental risk analysis is configured;
– Evaluation Phase: risk analysis is performed;
Proposed Solution
• Component Specification: – Registry Manager: Records CC, CSP and ISL
manager; – RDL Manager: descriptors of risk (threat +
vulnerability) manager; – RDL Manager Extensions: Extensions
RDL (information assets) manager;
Proposed Solution
Proposed Solution
• Components of Evaluation: – Risk Analysis: Does the coordination between other
internal components; – RA Processor: establishes relationships and makes the
calculation of risk; – Impacts Evaluation: assessing the impact on CC; – CSP Proxy: call for testing the ISL; – WSRA Evaluation: evaluation of safety requirements;
Proposed Solution
Proposed Solution
Discussion
• Multiple ISLs can act in defining RDLs and WSRAs (coverage)
• The related works do not meet these characteristics
• Are usually focused on specific evaluations by PHC itself, without considering the CC
Discussion
Discussion
References
• M. K. Srinivasan et al., “State-of-the-art cloud computing security taxonomies: a classification of security challenges in the present cloud computing environment”. ICACCI '12: Proceedings of the International Conference on Advances in Computing, Communications and Informatics. August 2012.
• J. Zhang, D. Sun and D. Zhai, "A research on the indicator system of Cloud Computing Security Risk Assessment," Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE), 2012 International Conference on , vol., no., pp.121,123, 15-18 June 2012 doi: 10.1109/ ICQR2MSE. 2012.6246200.
• M. L. Hale and R. Gamble, "SecAgreement: Advancing Security Risk Calculations in Cloud Services," Services (SERVICES), 2012 IEEE Eighth World Congress on , vol., no., pp.133-140, 24-29 June 2012 doi: 10.1109/SERVICES.2012.31.
• P. Zech, M. Felderer and R. Breu, "Towards a Model Based Security Testing Approach of Cloud Computing Environments," Software Security and Reliability Companion (SERE-C), 2012 IEEE Sixth International Conference on , vol., no., pp.47,56, 20-22 June 2012 doi: 10.1109/SERE-C.2012.11.
• P. Wang et al., "Threat risk analysis for cloud security based on Attack-Defense Trees," Computing Technology and Information Management (ICCM), 2012 8th International Conference on, vol.1, no., pp.106-111, 24-26 April 2012.
• S. Ristov, M. Gusev and M. Kostoska, "A new methodology for security evaluation in cloud computing," MIPRO, 2012 Proceedings of the 35th International Convention , vol., no., pp.1484-1489, 21-25 May 2012.
• J. Morin, J. Aubert and B. Gateau, "Towards Cloud Computing SLA Risk Management: Issues and Challenges," System Science (HICSS), 2012 45th Hawaii International Conference on , vol., no., pp.5509-5514, 4-7 Jan. 2012 doi: 10.1109/HICSS.2012.602.